viruses and worms > viruses and worms

Help with Malware (DWM.exe Trojan.BitcoinMiner)

<< < (3/3)

argus:
Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;
[*] Remove disinfection tools
[*] Create registry backup
[*] Purge System Restore
[/list]

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.





I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

stamopoulos:
Hello

today avast comes with a message every few  minutes about a trojan horse : wuaudit.exe  & win32BitCoinMiner.

It has slowed down my pc and although i manually delete the folder in C\users\username\AppData\local\temp\iswizard\waudit.exe it somehow manages to show up again.

I also scanned and removed all problems found by Malwarebytes Anti Malware and HitMan Pro3 but didn't fix the problem.

I think i did the procedure listed in http://forum.avast.com/index.php?topic=53253.0 and now i got 3 log files ready to sent to you in case you could help me.

Thanks a lot for your time




argus:
@stamopoulos


Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

[/list]
--- Code: ---:OTL
MOD - [2013/08/19 09:12:30 | 001,504,768 | ---- | M] () -- C:\Users\George\AppData\Local\Temp\tsiVi332.dll
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.pur-esult.info/?l=1&q={searchTerms}&pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
IE - HKU\S-1-5-21-1090180737-2106620449-67545335-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
IE - HKU\S-1-5-21-1090180737-2106620449-67545335-1000\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.pur-esult.info/?l=1&q={searchTerms}&pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
FF - prefs.js..browser.search.defaulturl: "http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR&l=1&q="
FF - prefs.js..browser.search.order.1: "WebSearch"
FF - prefs.js..browser.search.order.1,S: S", "WebSearch"
FF - prefs.js..browser.search.selectedEngine,S: S", "WebSearch"
FF - prefs.js..browser.search.defaultenginename,S: S", "WebSearch"
FF - prefs.js..keyword.URL: "http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR&l=1&q="
[2013/08/18 12:37:56 | 000,007,828 | ---- | M] () -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\il3le3rz.default\searchplugins\WebSearch.xml
O4 - HKU\S-1-5-21-1090180737-2106620449-67545335-1000..\Run: [tsiVideo] C:\Users\George\AppData\Local\Temp\tsiVi332.dll ()
O33 - MountPoints2\{dc5dc6a4-e220-11e2-89fd-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{dc5dc6a4-e220-11e2-89fd-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Install.exe -- [2007/03/21 17:54:34 | 001,787,904 | R--- | M] (RUNET www.runet-software.com)

:commands
[CREATERESTOREPOINT]
[emptytemp]


--- End code ---
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log

.






Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*]  Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.



[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start...


[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:


--- Code: ---process;
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


--- End code ---
[*] Click on button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named "zoek-results.log"


[/list]

shepjas01:
Hi I have a similar problem with my computer.

My Internet security program keeps flashing up that a harmful Trojan was prevented from opening. it is quarantined every time fortunately but i want it gone before it gets in. The Trojan is listed as dwn.exe trojan

I have used all the programs in this post as well as doing numerous scans, quarantining and deleting but it keeps coming back.
Can you advise the process to get rid of it if possible
Thanks in advance

Pondus:

--- Quote from: shepjas01 on January 05, 2014, 11:47:35 AM ---Hi I have a similar problem with my computer.

My Internet security program keeps flashing up that a harmful Trojan was prevented from opening. it is quarantined every time fortunately but i want it gone before it gets in. The Trojan is listed as dwn.exe trojan

I have used all the programs in this post as well as doing numerous scans, quarantining and deleting but it keeps coming back.
Can you advise the process to get rid of it if possible
Thanks in advance

--- End quote ---
you should not run the tools without instructions....
any fix posted here is made for one specific computer based on the logs attached

if you want help, start your own topic and follow instructions here    http://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes / OTL / aswMBR logs

Navigation

[0] Message Index

[*] Previous page

Go to full version